Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc....

I did this a while ago:-
http://www.thespanner.co.uk/2007/08/15/random-javascript-and-php-generation/

It works well most of the time. Obviously it's not a form of security as the keys are generated on the client but many spammers don't execute js in their tools. Some use browsers or have a parser but the majority don't.

I applied it to CSRF as well:-
http://www.thespanner.co.uk/2007/10/19/jsck/

If the domain and path of the cookie are set at a high level of generality and you have multiple subdomains, then you don't just have to worry about XSS in the domain in question, but rather all subdomains since they will all have access to the cookie.